mirror of
https://github.com/trailofbits/algo
synced 2024-11-18 09:25:38 +00:00
30 lines
1.3 KiB
Django/Jinja
30 lines
1.3 KiB
Django/Jinja
*nat
|
|
:PREROUTING ACCEPT [0:0]
|
|
:POSTROUTING ACCEPT [0:0]
|
|
-A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -p esp -j ACCEPT
|
|
-A INPUT -p ah -j ACCEPT
|
|
# rate limit ICMP traffic per source
|
|
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
|
|
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
|
|
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
|
# TODO:
|
|
# The IP of the resolver should be bound to a DUMMY interface.
|
|
# DUMMY interfaces are the proper way to install IPs without assigning them any
|
|
# particular virtual (tun,tap,...) or physical (ethernet) interface.
|
|
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT
|
|
-A INPUT -d {{ local_service_ip }} -p tcp -m multiport --dport 8080,8118 -j ACCEPT
|
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A FORWARD -p tcp --dport 445 -j DROP
|
|
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
|
|
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
|
|
-A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT
|
|
COMMIT
|